Self deletion of users relies on institution registration which follows additional rules
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Mahara |
Fix Released
|
Low
|
Unassigned | ||
Bug Description
Version: master
Having a look at the new self delete features, I've come across a bug:
Ability to delete self is determined by the registration status of the
institutions a user belongs to. If that institution has registration
enabled, then that user may delete their profile.
However, this check on user registration is based solely on the
registerallowed field in the institution table whilst the registration page
(register.php) checks whether the institution has an 'internal' auth
instance associated with it; and only then do they allow registration to
that institution.
The patch I've supplied only allows self deletion of users who have logged
in using the internal auth mechanism, in addition to the existing check on
registration being enabled.
| Andrew Nicols (dobedobedoh) wrote | #1 |
| Changed in mahara: | |
| assignee: | nobody → Richard Mansfield (richard-mansfield) |
| milestone: | none → 1.2.3 |
| Richard Mansfield (richard-mansfield) wrote | #2 |
| Changed in mahara: | |
| milestone: | 1.2.3 → none |
| Andrew Nicols (dobedobedoh) wrote | #3 |
| Changed in mahara: | |
| importance: | Undecided → Low |
| Changed in mahara: | |
| status: | New → Confirmed |
| François Marier (fmarier) wrote | #4 |
| Changed in mahara: | |
| assignee: | Richard Mansfield (richard-mansfield) → nobody |
| Robert Lyon (robertl-9) wrote | #5 |
| Kristina Hoeppner (kris-hoeppner) wrote | #6 |
| Changed in mahara: | |
| status: | Confirmed → Fix Released |
I just had a look at this, and I'm not sure that this patch is exactly the right thing to do. For one thing, it's possible for a user to have an authinstance of 'none', in which case there's no reason why they shouldn't be able to delete themselves.
But you also get the situation where the user has an xmlrpc authinstance whose parent authinstance is internal, so that the user can come in from Moodle but also log in at the Mahara login form. I expect that in most of these cases the institution would have registerallowed turned off, but if it was turned on it's kind of weird to determine self-deleting ability on whether they logged in first on the moodle or the mahara side.
Personally I'm not too worried about leaving things the way they are, but if this makes anyone really unhappy I think the simplest solution might be to just add a 'userscanselfde